[German]Update KB5058379 for Windows 10 22H2 (and also the Windows 11 pendants) from May 13, 2025 has caused issues for some users and administrators. Windows was locked on affected machines because the system requested the Bitlocker recovery key when booting. There are also reports of blue screens caused by the update.
Windows 10 22H2 Update KB5058379
Cumulative Update KB5058379 contains security fixes that are mentioned in the article Microsoft Security Update Summary (May 13, 2025). According to the support article, the Secure Boot Advanced Targeting (SBAT) detection for dual boot systems with Linux has finally been improved (after 9 months) (see Patchday: Windows 10/11 Updates (May 13, 2025)).
Reader reports about Bitlocker problems, also in Windows 11
German blog reader Daniel wrote in this German comment on May 15, 2025 that the update installation in his corporate environment failed on some Windows 10 22H2 clients. There was then a rollback and the system wanted a recovery key to start.
Phil confirms the problem in this comment and writes that sometimes a Bitlocker recovery key had to be entered to start. Or the affected client ends up in a WinRE boot loop. Then only a system recovery to a point in time before the update installation helped. He notes that several users are probably affected, the whole thing is independent of the manufacturer. He opened a support case with Microsoft.
German reader Gernot confirmed here, that this problem occurs at many companies with Windows 10 systems. In his case, half of all employees were affected. They then contacted IT to obtain the necessary Bitlocker recovery keys. After publishing the German edition of this blog post, several German blog readers commented, that they also observing this Bitloocker recovery key issue on Windows 11 clients.
Suggested workaround
Gernot wrote in his comment that you have to deactivate the option "Intel Trusted Execution Technology (Intel TXT)" in the Bios/UEFI as a workaround. The update can then be installed successfully. This workaround is also mentioned in the reddit.com post KB5058379 – Causing Devices to boot into Windows Recovery or requiring Bitlocker recovery keys on boot linked by Phil.
Further reports of problems
I have since seen that Windows Latest has published the article Windows 10 KB5058379 locks PCs, BitLocker Recovery triggered on boot, BSODs about this problem. PCs from Dell, HP and Lenovo with Windows 10 22H2 and Windows 10 21H2 Enterprise / LTSC are affected.
Windows Latest also suggests the above workaround by disabling the BIOS option. Windows Latest links to the Patchday Mega thread on reddit.com, where users confirm the problem. The Windows Latest post also contains instructions on how to proceed if a Bitlocker recovery key is requested.
However, the Windows Latest article also reports that the cumulative update KB5058379 triggers blue screens. Deactivating VT for Direct I/O in the BIOS virtualization settings allows the system to boot again. However, this is not a real "solution" for the cause of the problem, notes the person concerned according to the following text excerpt.
Seeing an issue with Win10 22H2 19045.5854 – KB5058379. BSOD after updating.
Disabling VT for Direct I/O in BIOS virtualisation settings allows the computer to boot again, but not a real 'fix' for why this is happening.
Opened a ticket with Microsoft and will update when I hear back.
Edit: Nothing from Microsoft, but an update to the BIOS setting. If disable "OS Kernel DMA Support" and leave Direct I/O enabled, that allows me to boot to OS. I'm also seeing a fun error in the system log, which corresponds with the timing of failed boots: "the virtualisation-based security enablement policy check at phase 6 failed with status: unknown NTSTATUS error code: 0xc0290122" May/may not be related.
One user confirms that he receives an error "Unknown NTSTATUS Error code: 0xc0290122" with every failed boot attempt.
Fixed with an out-of-band update, see Windows 10: Out-of-Band Update KB5061768 for Bitlocker issue (May 19, 2025).
Similar articles:
Microsoft Security Update Summary (May 13, 2025)
Patchday: Windows 10/11 Updates (May 13, 2025)
Patchday: Windows Server-Updates (May 13, 2025)
Patchday: Microsoft Office Updates (May 13, 2025)
From what I've read, it's not Intel VT I/O, but Intel Trusted Execution (Intel TXT) that shoud be disabled to allow the update to go through and then enabled again afterwards.
fixed by installing out-of-band Windows 10 KB5061768 update released Monday May 19 (builds 19044.5856/19045.5856 for 21H2 & 22H2 respectively):
https://support.microsoft.com/help/5061768
also recently reported by this Neowin article:
https://www.neowin.net/news/windows-10-emergency-update-kb5061768-fixes-bitlocker-boot-loops/
See Windows 10: Out-of-Band Update KB5061768 for Bitlocker issue (May 19, 2025)